<html>
<head><meta charset="utf-8"><title>actionable work items · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html">actionable work items</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136072027"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136072027" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136072027">(Oct 18 2018 at 21:11)</a>:</h4>
<p>If you would like to contribute, but aren't sure how, this is the thread for you. If you have a security-related project that you could use some help with, this is also the thread for you. Post some actionable work items!</p>



<a name="136072033"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136072033" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136072033">(Oct 18 2018 at 21:11)</a>:</h4>
<p>For example: <a href="https://github.com/blt/bughunt-rust" target="_blank" title="https://github.com/blt/bughunt-rust">https://github.com/blt/bughunt-rust</a> tries to verify correctness of data structure implementations in Rust stdlib, following a CVE in VecDeque. It currently verifies HashMap and VecDeque, extending it to more data structures would be appreciated.</p>



<a name="136072286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136072286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136072286">(Oct 18 2018 at 21:16)</a>:</h4>
<p>The <a href="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413">fixed-capacity view of Vec</a> proposal kind of died once I ran out of time to dedicate to it. We have a prototype implementation of it in a crate; explaining why it's a bad idea, or completing and publishing the implementation would be appreciated.</p>



<a name="136072510"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136072510" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136072510">(Oct 18 2018 at 21:21)</a>:</h4>
<p>A program that sifts through <a href="https://github.com/rust-lang/crates.io-index" target="_blank" title="https://github.com/rust-lang/crates.io-index">crates.io index</a>, matches contents of Cargo.lock and Cargo.toml in crates against <a href="https://github.com/RustSec/advisory-db" target="_blank" title="https://github.com/RustSec/advisory-db">RustSec advisory DB</a> and alerts maintainers of crates that depend on vulnerable versions of other crates would be nice. This is rather easy to implement since <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index is just a git repository and <a href="https://crates.io/crates/rustsec" target="_blank" title="https://crates.io/crates/rustsec">rustsec crate</a> takes care of version matching.</p>



<a name="136072826"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136072826" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136072826">(Oct 18 2018 at 21:27)</a>:</h4>
<p>It would be nice to have a beginner’s guide to using <a href="https://github.com/smackers/smack" target="_blank" title="https://github.com/smackers/smack">SMACK</a> to verify correctness of Rust programs; it’s a symbolic execution engine that <a href="http://soarlab.org/publications/atva2018-bhr.pdf" target="_blank" title="http://soarlab.org/publications/atva2018-bhr.pdf">has been adapted for Rust</a> recently.</p>



<a name="136073063"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136073063" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136073063">(Oct 18 2018 at 21:31)</a>:</h4>
<p>Clippy could use a lint for slow vector initialization that people tend to rewrite into unsafe code instead of using efficient zero-initialization. Details at <a href="https://github.com/rust-lang-nursery/rust-clippy/issues/3237" target="_blank" title="https://github.com/rust-lang-nursery/rust-clippy/issues/3237">https://github.com/rust-lang-nursery/rust-clippy/issues/3237</a></p>



<a name="136073379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136073379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136073379">(Oct 18 2018 at 21:36)</a>:</h4>
<p>Here's a more general one: pick a popular crate that uses <code>unsafe</code>, check out why it does that, try turn it into safe code without regressing performance; describe how you did it if you succeed, describe why that failed if you didn’t. This will expose missing but needed safe abstractions and form basis for clippy warnings or some kind of safety guidelines.</p>



<a name="136126856"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136126856" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136126856">(Oct 19 2018 at 17:36)</a>:</h4>
<p><span class="emoji emoji-1f446" title="point up">:point_up:</span> should I post these to github as issues?</p>



<a name="136128783"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136128783" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136128783">(Oct 19 2018 at 18:06)</a>:</h4>
<p>I'd maybe restrict to only those things which have concrete next steps rather than just "we'd like something that does X." But yeah, definitely.</p>
<p>I think an issue that tracks the "find out why people use <code>unsafe</code>" effort would be particularly useful.</p>



<a name="136130522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136130522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136130522">(Oct 19 2018 at 18:34)</a>:</h4>
<p>"find out why people use <code>unsafe</code>" is probably out of scope of an issue. I'd make it a repo or something. We should probably reach out to the community too, e.g. on Reddit, This Week In Rust, etc. and just ask.</p>



<a name="136200594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136200594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136200594">(Oct 21 2018 at 05:48)</a>:</h4>
<p>RE: "find out why people use <code>unsafe</code>", maybe it would be better to limit the exploration to libstd and maybe some other core crates and see if there is any commonality that could be factored out into library features or language features that would reduce the need for <code>unsafe</code> in a substantial way, e.g. safe conversion APIs that would reduce the uses of <code>transmute</code>.</p>



<a name="136350363"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136350363" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136350363">(Oct 23 2018 at 17:03)</a>:</h4>
<blockquote>
<p>A program that sifts through <a href="https://github.com/rust-lang/crates.io-index" target="_blank" title="https://github.com/rust-lang/crates.io-index">crates.io index</a>, matches contents of Cargo.lock and Cargo.toml in crates against <a href="https://github.com/RustSec/advisory-db" target="_blank" title="https://github.com/RustSec/advisory-db">RustSec advisory DB</a> and alerts maintainers of crates that depend on vulnerable versions of other crates would be nice. This is rather easy to implement since <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index is just a git repository and <a href="https://crates.io/crates/rustsec" target="_blank" title="https://crates.io/crates/rustsec">rustsec crate</a> takes care of version matching.</p>
</blockquote>
<p>I've actually got some code that trawls through the crates index that can be adapted to this purpose, so I've started this task.</p>



<a name="136352676"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136352676" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136352676">(Oct 23 2018 at 17:34)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> Awesome! Would you like to create an issue in the wg repo to track this?</p>



<a name="136354302"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136354302" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136354302">(Oct 23 2018 at 17:57)</a>:</h4>
<p>Sure</p>



<a name="136355161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136355161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136355161">(Oct 23 2018 at 18:07)</a>:</h4>
<p>Posted <a href="https://github.com/rust-secure-code/wg/issues/13" target="_blank" title="https://github.com/rust-secure-code/wg/issues/13">issue</a> to wg repo.</p>



<a name="136357908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/actionable%20work%20items/near/136357908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/actionable.20work.20items.html#136357908">(Oct 23 2018 at 18:42)</a>:</h4>
<p>Thanks!</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>